It is a common misconception that installing a firewall and having anti-virus on PCs and servers keeps businesses safe from malware, ransomware, and data breaches. These solutions are just parts of the layered approach needed to protect the organization. Human factors need to be considered along with technological components. Technological systems have been improving at a rapid pace and it has become difficult for attackers to bypass them in a timely manner, so attackers have resorted to attacking the human element. The result has been phishing emails, phone calls, and impersonation in order to deposit the technological attack behind the security hardware such as the firewall.
Recently several government offices have been in the news where municipalities have shut down due to ransomware encrypting all files on the network. In some cases, the ransom is paid, such as with the Florida City attack in June of 2019 or a state of emergency is declared such as in Louisiana. In these cases, the infection started with a staff member opening an infected email attachment. An innocent looking message presented itself as a valid message. Commonly these messages come in appearing to be FedEx or UPS shipping notifications or fake emails from other staff members where the From name is very close to a real one. In many cases the staff member may not be aware that the infection has begun.
How do we mitigate the human factor?
Awareness and education. Regularly educate and remind staff to be aware of fake emails. Consider utilizing training companies that specialize in education and testing staff on safe practices.
Help staff identify common phishing and malware techniques that disguise malware as common day-to-day tasks. For example, FedEx and UPS will not send confirmations unless something is shipped. If nothing has been shipped recently, delete the messages. Validate the message comes from FedEx.com and UPS.com. In the best case, sign in to the accounts and see if the tracking numbers match.
Educate staff on who their support teams are and how to contact them. It is important that staff be aware of who they should contact for support. They should know how to reach them. This is important to prevent impersonation. In some cases, staff are targeted with specifics that may cause them to turn over control of their workstation to an intruder. It is common for intruders to do some research and find out which staff or support company provides IT support. They then call in posing as that person or company. If the staff member hasn’t contacted support or is suspicious about the caller, they should know how to call so they can inform the person on the phone that they will call back. When the staff member does call back, if the support call was real, support can continue. If it was an intruder, the staff member may have just saved the company from malicious intent.
Hover over links in emails and make sure they go where they say they go. For example, users of Microsoft Office 365 may see an email about a message in quarantine. The attached links will always go to Microsoft.com, office.com and onmicrosoft.com. They will never go to randomized gibberish link such as http://microsoft.dadrsdagsdafueryhhe.ce.
Validate requests. It is worth a call asking the apparent sender if they sent a message. An email coming from firstname.lastname@example.org requesting a staff member to perform a wire transfer or download a file and install it on their PC is suspicious enough to warrant reaching out and validating the request.
What about technological factors?
Most organizations already have a firewall or anti-virus in place. These tools should be managed and kept up-to-date. Proactively update organization servers and workstations. However, make sure to think about how to recover if there is an incident. In the breach in the Florida city, the city government paid just under $600,000 to try and recover their data and there is no guarantee that the recovery information will ever be sent. Paying the ransom infers that the City has otherwise lost all the information that has been encrypted and they have no way to recover it.
What happened to the backups? If there were backups, test them periodically. A backup solution that cannot restore files is not a backup. Were the backups themselves encrypted? It is old advice, but it is always recommended to have weekly, monthly, and annual backups, preferably on a cold medium such as the cloud or powered down media. Keeping only 7 days of backups doesn’t help if the infection was unnoticed for 7 days and now all the backup files themselves are encrypted.
Education and testing both help prevent intrusions and if the intrusion is successful, help reduce the financial and time cost to restore organizations operations. Education helps reduce the chance of the infection and having the tools in place to recover and testing them reduce the risk and impact of recovering. Sikich can help. We offer a full range of security and networking services. Contact us if you would like assistance in protecting your firm!